From 84e2346b7ae9c50f95701027f8d860424623a294 Mon Sep 17 00:00:00 2001
From: Joe Lawrence <joe.lawrence@redhat.com>
Date: Fri, 14 Jan 2022 09:25:24 -0500
Subject: [KPATCH CVE-2022-0185] vfs: kpatch fixes for CVE-2022-0185
Kernels:
4.18.0-348.el8
4.18.0-348.2.1.el8_5
4.18.0-348.7.1.el8_5
Changes since last build:
arches: x86_64 ppc64le
fs_context.o: changed function: legacy_parse_param
---------------------------
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/15
Approved-by: Artem Savkov (@artem.savkov)
Kernels:
4.18.0-348.el8
4.18.0-348.2.1.el8_5
4.18.0-348.7.1.el8_5
Modifications: none
commit 689263a917cde581464bdc69777dd0f3d9e808af
Author: Frantisek Hrbata <fhrbata@redhat.com>
Date: Fri Jan 14 10:30:05 2022 +0100
vfs: Out-of-bounds write of heap buffer in fs_context.c
Bugzilla: https://bugzilla.redhat.com/2040585
CVE: CVE-2022-0185
From Jamie Hill-Daniel <jamie@hill-daniel.co.uk>
The "PAGE_SIZE - 2 - size" calculation is is an unsigned type so
a large value of "size" results in a high positive value. This
results in heap overflow which can be exploited by a standard
user for privilege escalation.
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
---
fs/fs_context.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/fs_context.c b/fs/fs_context.c
index b1eacb03b72f..c921102b2398 100644
--- a/fs/fs_context.c
+++ b/fs/fs_context.c
@@ -563,8 +563,10 @@ static int legacy_parse_param(struct fs_context *fc, struct fs_parameter *param)
return invalf(fc, "VFS: Legacy: Parameter type for '%s' not supported",
param->key);
}
-
- if (len > PAGE_SIZE - 2 - size)
+ /* Subtracting 'size' from PAGE_SIZE can lead to integer underflow,
+ * so check bounds using addition instead.
+ */
+ if (size + len + 2 > PAGE_SIZE)
return invalf(fc, "VFS: Legacy: Cumulative options too large");
if (strchr(param->key, ',') ||
(param->type == fs_value_is_string &&
--
2.26.3